CVE-2024-38652
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to delete arbitrary files on Ivanti Avalanche servers through path traversal in the skin management component. This can lead to denial of service by deleting critical system files. All organizations running vulnerable versions of Ivanti Avalanche are affected.
💻 Affected Systems
- Ivanti Avalanche
📦 What is this software?
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
Avalanche by Ivanti
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical operating system files, rendering the server inoperable and requiring full restoration from backups.
Likely Case
Denial of service through deletion of application or configuration files, causing service disruption until files are restored.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthenticated access to the vulnerable component.
🎯 Exploit Status
The vulnerability requires no authentication and path traversal exploitation is well-understood, making weaponization likely even without public PoC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.4
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373
Restart Required: Yes
Instructions:
1. Download Ivanti Avalanche 6.4.4 from the Ivanti support portal. 2. Backup current configuration and data. 3. Run the installer to upgrade to version 6.4.4. 4. Restart the Avalanche service or server as prompted.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the Avalanche web interface to trusted IP addresses only.
Use firewall rules to allow only specific IP ranges to access TCP ports used by Avalanche (typically 80/443 and management ports)
Disable Skin Management
windowsTemporarily disable the skin management component if not required.
Navigate to Avalanche administration console > System Settings > disable skin management features
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Avalanche servers from untrusted networks
- Deploy web application firewall (WAF) rules to block path traversal patterns in HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check the Avalanche version in the administration console under Help > About. If version is 6.3.1 or earlier, the system is vulnerable.Check Version:
In Avalanche console: Help > About displays version informationVerify Fix Applied:
After patching, verify the version shows 6.4.4 or later in the administration console. Test that the skin management component functions properly without allowing path traversal.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or similar path traversal patterns to skin management endpoints
- File deletion events in system logs from the Avalanche process
- Access denied errors for critical system files
Network Indicators:
- HTTP requests with path traversal payloads to Avalanche web interface
- Unusual file deletion patterns via HTTP POST requests
SIEM Query:
source="avalanche.log" AND (http_uri="*../*" OR http_uri="*..\\*" OR http_uri="*%2e%2e%2f*")